Configure a SCIM user directory integration with Okta
Before You Begin
- Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji instance. You will need to obtain the SCIM access token and API URL.
- Ensure you’re using Okta’s Advanced Lifecycle Management plan, which supports built-in, standards-based provisioning for SCIM.
- Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
- Be sure to review the supported user and group attributes listen in the SCIM Directory Integration.
Create the SCIM Integration in Okta
- Log into your Okta tenant via login.okta.com.
- Once logged in, in the left-hand navigation, go to Applications > Applications.
- Clicking Create App Integration.
- Select SAML 2.0 as the application type and click Next.
- In General Settings, give the App a name and check both boxes within the App visibility section. Then, click Next.
- In SAML Settings, enter a dummy URL in the Single sign-on URL and Audience URI (SP Entity ID) fields. Do not change any other settings.
In Help Okta Support understand how you configured this application, select I'm an Okta customer adding an internal app, and click Finish.
Configure SCIM settings
- In the Kandji SCIM app, navigate to the General tab.
- In the Settings section, click Edit.
- Select SCIM in the Provisioning setting.
- Do not modify any other settings, and click Save.
- In the Provisioning tab, click Edit in the Integration section.
- For SCIM connector base URL, enter the SCIM integration base URL copied from Kandji (example: https://accuhive.clients.us-1.kandji.io/api/v1/scim).
- For Unique identifier field for users, enter userName.
- For Supported provisioning actions, select Push New Users, Push Profile Updates, and Push Groups.
- For Authentication Mode, select HTTP Header.
- For Authorization, enter the Bearer Token obtained in the Kandji SCIM Directory Integration article mentioned above.
Click Test Connector Configuration to test the integration.
- Only Create Users, update User Attributes, and Push Groups should be checked in the modal that displays.
While still on the Provisioning tab, go to the To App section and click Edit.
In the Provisioning to App section, enable Create Users, Update User Attributes, and Deactivate Users.
(optional) In the Attribute Mappings, edit the user attributes to send to Kandji. Kandji will only store and use the attributes mentioned in the SCIM Directory integration knowledge base article.
Users and Groups
- In a new browser tab, navigate to Directory > Groups to create a user group for Kandji Users and click Add Group.
- Give the group a meaningful name and click Save.
Search for the group that you just created and add one or more test users to the Group.
- If provision Groups to Kandji, create an additional group, such as kandji_scim, that contains the same users as the previous group. This additional group is needed because the same Okta group cannot be used for app assignments and group push. See this okta article for more information.
Navigate back to the browser tab where the Okta SCIM app is open.
In the Assignments tab, click Assign > Assign to Groups.
Search for the first group that you created earlier and click Assign.
In the Assign Kandji SCIM App to Groups modal, modify settings as needed and click Save and Go Back.
Confirm that the group has been Assigned and click Done. The group should now show in the Groups section in the Assignments tab. Note: if the group does not display, try refreshing the browser tab.
In the Push Groups tab, select Push Groups > Find groups by name
Search for the second group that you created earlier (in the example, we called it kandji_scim) and click select it.
Ensure that Create Group is chosen.
Repeat the last three steps for any other groups that you want to push. Keep in mind that the users also must be assigned to the app in order for the association to occur in Kandji.
- If you add additional users to the group assigned to the SCIM app in Okta, be sure to also update the group that you've designed as the Push group. In our example, this group was called kandji_scim.
- Updates should be seen in Kandji fairly quickly, but if you would like to push group updates immediately, you can choose the option to Push Now from the Push Groups tab in the Okta app. More information can be found in the Okta article.
Deleting Pushed Groups
Use the following steps to stop pushing group updates or optionally delete a pushed group from Kandji.
- Go to the Push Groups tab for the app in Okta.
- In the Push Status column, select Unlink push group.
- Select the option to Delete the group in the target app (recommended). This will DELETE the group in the target app, and user accounts will NOT be deleted. The user accounts are tied to the assignment group on the Provisioning tab.
- Click Unlink.
You should no longer see the group listed in the Push Groups tab.